Study Finds Holes In Health Data Encryption

There is a rising tide of worry about health data encryption. And, no matter how much healthcare tells us that everything is okay, more people are expressing their concerns. And, when reports such as the one we are going to look at today come around, it’s no real surprise.

The study, performed by Microsoft, has reached an alarming conclusion. And, it’s one that will add fuel to the fires of those that have serious concerns about data breaches. You can read the full report here – although be aware it is a PDF. Microsoft looked at the security effectiveness of CryptDB, a form of encryption used in the healthcare industry. It works in a similar way to most encryption systems, in that hackers usually need a key to see or get hold of encrypted data.

It used a lot, due to one particular reason: ease of use. In essence, the system is easy to set up, is fast, and needs few changes to the database infrastructure that is already in place. But, for all its benefits, the study revealed a major issue in that it wasn’t always successful at keeping out hackers.

It went something like this. Researchers used data that is often targeted by hackers, such as authentic patient information. It’s the same kind that is used in many hospitals and surgeries across the country. They then began to attack the CryptDB system, using conventional methods of cyber attack. Unfortunately, the attacks were able to reveal personal information. And all without too much effort, either.

One part of the research ended up accessing all kinds of things about patients. It included their mortality risk, their admission dates and lengths of stay, and the severity of their disease. In some cases, the attacks revealed those details for every single one of those patients, in every single one of the hospitals.

The study was also able to show where things were falling down, too. The researchers found that when employees accessed the patient data, it was stored in the computer’s memory. And, it was at the point of decryption that hackers could get in and get their hands on the sensitive information. Interestingly, the report also notes that while data encryption was at fault, it is not a requirement of HIPAA. However, that isn’t quite right.

The Health Insurance Portability and Accountability Act was brought about in 1996. It gives patients protection with regards to their healthcare records. Essentially, encryption requirements for HIPAA state that health organizations don’t have to encrypt. But, they will need a very good excuse, in writing, if they don’t. And, if a particular organization does suffer a data breach, they can expect a bit of a grilling.

In short, data encryption is necessary. But given the fact that information can be accessed at the point of decryption, it isn’t the only route health care should be taking. With the world going mad for data breaches over the last couple of years, there’s only one way things will go. Particularly for any organization who don’t take security seriously. And one that involves hefty fines, and potentially a loss of business.